[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 3292 Introduced in Senate (IS)]
<DOC>
119th CONGRESS
1st Session
S. 3292
To support research about the impact of digital communication platforms
on society by providing privacy-protected, secure pathways for
independent research on data held by large internet companies.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
December 1, 2025
Mr. Coons (for himself and Mr. Cassidy) introduced the following bill;
which was read twice and referred to the Committee on Commerce,
Science, and Transportation
_______________________________________________________________________
A BILL
To support research about the impact of digital communication platforms
on society by providing privacy-protected, secure pathways for
independent research on data held by large internet companies.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Platform
Accountability and Transparency Act''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. Qualified research projects, qualified researchers, and
qualified data and information.
Sec. 4. Obligations and immunity for platforms.
Sec. 5. Obligations and immunity for qualified researchers.
Sec. 6. Reporting.
Sec. 7. Enforcement.
Sec. 8. Establishing a safe harbor for research on platforms.
Sec. 9. Rulemaking authority.
Sec. 10. Authorization of appropriations.
Sec. 11. Severability.
SEC. 2. DEFINITIONS.
In this Act:
(1) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(2) NSF.--The term ``NSF'' means the National Science
Foundation.
(3) Personal information.--The term ``personal
information'' means any information, regardless of how the
information is collected, inferred, or obtained that is linked
or reasonably linkable to a specific consumer or consumer
device.
(4) Platform.--The term ``platform'' means any entity
subject to the jurisdiction of the Commission under section
5(a)(2) of the Federal Trade Commission Act (15 U.S.C.
45(a)(2)) that--
(A) operates a website, desktop application,
augmented or virtual reality application, or mobile
application that--
(i) permits a person to become a registered
user, establish an account, or create a profile
for the purpose of allowing the user to create,
share, and view user-generated content through
such an account or profile;
(ii) enables 1 or more users to generate
content that can be viewed by other users of
the platform; and
(iii) primarily serves as a medium for
users to interact with content generated by
other users of the platform and for the
platform to deliver ads to users; and
(B) has at least 50,000,000 unique monthly users in
the United States for a majority of the months in the
most recent 12-month period.
(5) Qualified data and information.--
(A) In general.--Subject to subparagraph (B), the
term ``qualified data and information'' means data and
information from a platform--
(i) that the NSF determines is necessary to
allow a qualified researcher to carry out a
qualified research project; and
(ii) that--
(I) is feasible for the platform to
provide;
(II) is proportionate to the needs
of the qualified researchers to
complete the qualified research
project;
(III) will not cause the platform
undue burden in providing the data and
information to the qualified
researcher; and
(IV) would not be otherwise
available to the qualified researcher.
(B) Exclusions.--Such term does not include any of
the following:
(i) Direct and private messages between
users.
(ii) Biometric information, such as a
fingerprint, voiceprint, eye retinas, irises,
or other unique biological patters or
characteristics.
(iii) Precise geospatial information.
(6) Qualified researcher.--
(A) In general.--Subject to subparagraph (B), the
term ``qualified researcher'' means a researcher
affiliated with a United States university or a United
States nonprofit organization (as described in section
501(c) of the Internal Revenue Code of 1986) that is
specifically identified in a research proposal that is
approved as a qualified research project pursuant to
section 3.
(B) Exclusion.--Such term does not include a
researcher who is affiliated with a Federal, State,
local, or tribal law enforcement or intelligence
agency.
(7) Qualified research project.--The term ``qualified
research project'' means a research plan that has been approved
pursuant to section 3.
(8) State.--The term ``State'' means each of the 50 States
of the United States, the District of Columbia, Puerto Rico,
the Virgin Islands, American Samoa, Guam, and the Northern
Mariana Islands.
(9) User.--The term ``user'' means a person that uses a
platform for any purpose, including advertisers and sellers,
regardless of whether that person has an account or is
otherwise registered with the platform.
SEC. 3. QUALIFIED RESEARCH PROJECTS, QUALIFIED RESEARCHERS, AND
QUALIFIED DATA AND INFORMATION.
(a) Establishment.--Not later than 1 year after the date of
enactment of this Act, the NSF shall establish, in consultation with
the Commission, a research program to review research applications for
approval as qualified research projects.
(b) Research Program Requirements.--The research program
established by the NSF and the Commission under this section shall--
(1) provide that the NSF shall--
(A) establish a process to solicit research
applications in order to identify qualified research
projects;
(B) review research applications for scientific
merit;
(C) ensure research applications identify proposed
qualified researchers;
(D) publish guidelines and criteria to be used by
the NSF in determining how it will review research
applications seeking approval to be a qualified
research project;
(E) identify, in consultation with the Commission,
what data and information in a platform's possession
will be qualified data and information for the purposes
of carrying out a qualified research project;
(F) ensure that approved research applications do
not request data described in section 2(6)(B); and
(G) prescribe and publish guidelines and criteria,
in consultation with the Commission, used to determine
how the NSF and Commission will identify qualified data
and information necessary to conduct a qualified
research project;
(2) provide that the Commission shall--
(A) review research applications for privacy and
cybersecurity risks;
(B) for each qualified research project, establish
appropriate privacy and cybersecurity safeguards that a
platform must implement in the provision of, and with
which qualified researchers must comply to access,
qualified data and information that a platform is
required to share with qualified researchers pursuant
to a qualified research project, and such safeguards--
(i) must account for the relative
sensitivity of the qualified data and
information involved and be sufficient to
protect such data and information; and
(ii) may include alternative protections,
as appropriate and in consideration of the aims
of the qualified research project, including--
(I) encryption of the data in
transit and when not in use;
(II) delivery of the data in a
format that employs methods to prevent
qualified researchers from identifying
individuals in the dataset;
(III) data access logs; and
(IV) keystroke logs;
(C) in the case of each qualified research project,
consider whether to require the platform to provide a
secure physical or virtual environment to facilitate
delivery of the qualified data and information;
(D) establish appropriate privacy and cybersecurity
safeguards that a qualified researcher must implement
when receiving, storing, or analyzing qualified data
and information or generating new data using such
qualified data and information, including inferential
data based on such qualified data and information, and
such safeguards may include a requirement that a
qualified researcher delete qualified data and
information after completion of a qualified research
project, however any such safeguard must provide the
qualified researcher the ability to retain enough
information about the qualified data and information to
allow the researcher or their peers to recreate the
qualified research project upon request to, and
approval from, the NSF and Commission pursuant to this
section;
(E) publish a list of criteria for determining the
privacy and cybersecurity safeguards required for
qualified data and information related to a qualified
research project;
(F) provide a platform that is the subject of a
qualified research project with the opportunity to
provide comment about the privacy and cybersecurity
safeguards required for the qualified research project;
(G) provide researchers with the opportunity to
provide comment about the privacy and cybersecurity
safeguards required for a qualified research project;
(H) establish a process to ensure that qualified
researchers will be able to comply with any such
privacy and cybersecurity safeguards; and
(I) publish a list of criteria for determining
whether qualified researchers will be able to comply
with any such privacy and cybersecurity safeguards;
(3) provide that a research application may not be denied
on grounds of the race, color, age, sex, national origin,
political affiliation, or disability of the researcher;
(4) provide that a research application shall not be
approved as a qualified research project unless it--
(A) has been approved by an institutional review
board;
(B) has been deemed exempt from institutional
review board review; or
(C) is excluded from the criteria for institutional
review board review;
(5) provide a platform the opportunity to comment on and
appeal to the NSF and the Commission the approval of a
qualified research project for which the platform is required
to provide qualified data and information to qualified
researcher the grounds that--
(A) the platform cannot provide the qualified data
and information;
(B) providing access to the qualified data and
information would lead to significant vulnerabilities
in the security of the platform's service or user
privacy; or
(C) the privacy and cybersecurity safeguards
established by the Commission are not sufficient to
protect the qualified data and information; and
(6) require that any analysis by a qualified researcher
derived from a qualified research project that the qualified
researcher intends to publish undergo prepublication review by
the Commission to ensure that the analysis does not expose
personal information, or trade secrets.
(c) Qualified Researcher Capacity.--A qualified research project
may not proceed unless the proposed qualified researchers can
demonstrate that they have the capacity to comply with the privacy and
cybersecurity safeguards established for the qualified research
project.
(d) Aim of Project.--A research application shall not be approved
as a qualified research project unless it is in the public interest,
aims to study activity on a platform, and is used for noncommercial
purposes.
(e) No Judicial Review.--A determination by the Commission or the
NSF under this section regarding whether a research application will be
deemed a qualified research project shall not be subject to judicial
review.
(f) No Government Access.--If a platform provides qualified data
and information to a qualified researcher, no government entity may
seek access to such qualified data and information from the qualified
researcher.
(g) Researcher Consortia.--The Commission and NSF shall establish
procedures and necessary safeguards under this section that allow for
consortia of researchers to apply to seek data for the purpose of
conducting a series of qualified research projects.
SEC. 4. OBLIGATIONS AND IMMUNITY FOR PLATFORMS.
(a) Provision of Qualified Data and Information.--A platform shall
provide access to qualified data and information relating to a
qualified research project to a qualified researcher under the terms
and privacy and cybersecurity safeguards dictated by the Commission
pursuant to section 3 for the purpose of carrying out the qualified
research project.
(b) Continued Access to Qualified Data and Information.--
(1) In general.--A platform may not restrict or terminate a
qualified researcher's access to qualified data and information
for an ongoing qualified research project unless the platform
has a reasonable belief that the qualified researcher is not
acting in accordance with the cybersecurity and privacy
safeguards required for the qualified research project pursuant
to section 3.
(2) Notice and review of change to access.--If a platform
restricts or terminates a qualified researcher's access to
qualified data and information for an ongoing qualified
research project--
(A) the platform shall, within a reasonable time
(as established by the Commission), inform the
Commission in writing that the platform has restricted
or terminated the qualified researcher's access to the
qualified data and information; and
(B) the Commission shall promptly review the
platform's decision and determine whether the qualified
researcher has violated the privacy and cybersecurity
safeguards established for the qualified research
project.
(c) Notice to Platform Users.--The Commission shall issue
regulations requiring that platforms, through posting of notices or
other appropriate means, keep users informed of their privacy
protections and the information that the platform is required to share
with qualified researchers under this Act.
(d) Safe Harbor.--No cause of action under State or Federal law
arising solely from the release of qualified data and information to
qualified researchers in furtherance of a qualified research project
may be brought against any platform that complies with the Act.
(e) Right of Review.--If a platform fails to provide all of the
qualified data and information required under the terms of a qualified
research project to the qualified researcher conducting the project,
the qualified researcher or the researcher's affiliated university or
non-profit organization may bring an action in district court for
injunctive relief or petition the Commission to bring an enforcement
action against the platform.
(f) Security.--Nothing in this Act shall be construed to restrict a
platform's ability to--
(1) take immediate steps to protect an interest that is
essential for the life or physical safety of a natural person;
or
(2) respond to security incidents, identity theft, fraud,
harassment, malicious or deceptive activities, or illegal
activity, preserve the integrity of security of systems, or
investigate or report those responsible for such actions.
SEC. 5. OBLIGATIONS AND IMMUNITY FOR QUALIFIED RESEARCHERS.
(a) Scope of Permitted Use of Qualified Data and Information.--Each
qualified researcher who accesses qualified data and information shall
use the qualified data and information--
(1) only for the purposes of conducting research authorized
under the terms of the qualified research project involved; and
(2) in accordance with the privacy and cybersecurity
safeguards prescribed by the Commission for the qualified
research project.
(b) Protection of Personal Information.--A qualified researcher
that is provided access